Download:
pdf |
pdfNASA Privacy Impact Assessment (PIA) Analysis Worksheet
Section 1 - System Identification
a. System Name:
Summer of Innovation Evaluation
(generally the name that the system is accessed by. www.nasa.gov, when Web
enabled, for example)
b. System Owner/Information Owner:
Person responsible for funding
c. System Manager:
Person responsible for technical operation
BRIAN L. YODER
Phone Number:202.358.7338
E-Mail:byoder@hq.nasa.gov
BRIAN L. YODER
Phone Number: 202.358.7338
E-Mail: brian.yoder@nasa.gov
d. Person preparing IPTA/PIA:
BRIAN L. YODER
Phone Number: 202.358.7338
E-Mail: brian.yoder@nasa.gov
e. System Description:
Program Evaluation of Summer of Innovation Anonymous Statistical Information
f. Mission Program/Project Supported:
Office of Education/Summer of Innovation
g. System Security Plan Number:
NN-101-H-NHQ-0007
h. System Location:
Center:Abt Associates
Street Address:4550 Montgomery Avenue
Building:
City:Bethesda
State:MD
ZIP:20814-3343
(Center or contractor office building, room, city and state)
i. Status of the System:
Development
* As used in this document "System" means an organized collection of information which may encompass IT hardware systems,
applications, and databases. "System" may be an infrastructure, one or more applications, one or more databases, an electronic
information collection, or any combination thereof.
Page 1
Response
Comments
Section 2 - Privacy Impact Assessment Initial Screening
Must be completed for all systems.
a. Is this a new system or has any of
the major changes listed in the
Comments column occurred to the
system since the conduct of the last
IPTA/PIA?
New
System/Project
Previously not
assessed
Re-evaluation
Major Change
If Major Change selected, choose one of the
following
Conversions
Anonymous to Non-Anonymous
Significant System Management Changes
Significant Merging
New Public Access
Commercial Sources
Internal Flow or Collection
New Interagency Use
Alteration in Character of Data
Other (Describe):
b. Does this system/project relate solely
to an infrastructure?
Yes
No
If yes, how many applications currently reside
on infrastructure?
Page 2
Response
c. Does/Will the system contain (store)
information in identifiable form (IIF)
within any database(s), record(s), file(s)
or Web site(s) hosted by this system? If
yes, check all that apply in the
Comments column. If the category of
personal information is not listed,
please check Other and identify the
category.
Comments
Yes
Name
No
Date of birth
Social Security Number (or other number
originated by a government that specifically
identifies an individual)
Photographic identifiers (e.g., photograph
image, x-rays, and video)
Driver license
Biometric identifiers (e.g., fingerprint and
voiceprint)
Mother maiden name
Vehicle identifiers (e.g., license plates)
Mailing address
Phone numbers (e.g., phone, fax, and cell)
Medical records numbers
Medical notes
Financial account information and/or
numbers (e.g., checking account number and
Personal Identification Numbers [PIN])
Certificates (e.g., birth, death, and
marriage)
Legal documents or notes (e.g., divorce
decree, criminal records, or other)
Device identifiers (e.g., pacemaker, hearing
aid, or other)
Web Uniform Resource Locators (URL)
E-mail address
Education records
Military status and/or records
Employment status and/or records
Foreign activities and/or interests
Other (Describe):
Page 3
Response
d. Indicate all the categories of
individuals about whom IIF is or will be
collected.
NA
Comments
Categories of individuals:
Government Employees
NASA Contractors
Members of the public (excluding
contractors and partners)
Business Partners/Contacts, Grantees
(including, but not limited to federal, state, local
agencies)
Contractors/Vendors/Suppliers
Other:
e. Are/Will Records on 10 or more
members of the public containing IIF
[be] collected, maintained (stored), or
disseminated by this system?
Yes
No
NA
Section 3 - Records Management Assessment
a. Does/Will the system contain Federal
records?
Yes
No
b. If the system contains/will contain
Federal records, which disposition
authority applies?
NRRS
GRS
Retention Schedule: 1392-68C teacher/student contact information, 1392-68D
survey data
Unknown or
not currently
scheduled
NA
c. Are the records in this system (or will
they be) generated in the process of
NASA program/project formulation,
design, development, or operation as
described in NPR 7120?
d. Are the records Vital records for the
organization?
Yes
No
NA
Yes
No
NA
Section 4 - Paperwork Reduction Act Assessment
a. Does/will the system collect
information in a standard way (forms,
web enabled forms, surveys,
questionnaires, etc) from members of
the public (including contractors),
regardless of format (paper, electronic
or oral)?
Yes
No
If yes, indicate format of collection:
Paper
Electronic
Oral
Page 4
Response
b. Is the information collection indicated
above authorized by an OMB Approval
Number under the Paperwork
Reduction Act (PRA)? If yes, please
provide PRA Approval Number under
Comments.
Comments
Yes
PRA OMB Approval Number: Pending
No
Applied for
NA
Unknown/Other
Section 5 - Privacy Act Requirements Assessment
a. Are records (or will records) on
individuals be routinely retrieved from
the system by using name or a unique
identifier?
Yes
No
If yes, indicate data elements used to retrieve
record:
Name
Date of birth
Social Security Number (or other number
originated by a government that specifically
identifies an individual)
Photographic identifiers (e.g., photograph
image, x-rays, and video)
Driver license
Biometric identifiers (e.g., fingerprint and
voiceprint)
Mother maiden name
Vehicle identifiers (e.g., license plates)
Mailing address
Phone numbers (e.g., phone, fax, and cell)
Medical records numbers
Medical notes
Financial account information and/or
numbers (e.g., checking account number and
Personal Identification Numbers [PIN])
Certificates (e.g., birth, death, and
marriage)
Legal documents or notes (e.g., divorce
decree, criminal records, or other)
Device identifiers (e.g., pacemaker, hearing
aid, or other)
Web Uniform Resource Locators (URL)
E-mail address
Education records
Military status and/or records
Employment status and/or records
Foreign activities and/or interests
Other (Describe):
Page 5
Response
b. Has a Privacy Act System of Records
Notice (SORN) been published in the
Federal Register for this system? If no,
choose the reason of why not or specify
other reason in the Comments column.
Yes
No
NA
Comments
IIF is in the system, but records are not
retrieved by individual identifier.
Should have published an SORN, but was
unaware of the requirement.
System is required to have an SORN but is
not yet procured or operational.
Other (Describe):
c. If a SORN has been published, have
major changes to the system occurred
since publication of the SORN?
Yes
No
NA
Section 6 - Information Sharing Practices
Note: If yes, specify resource(s) and purpose for each instance in the Comments column.
a. Is the IIF in the system voluntarily
submitted (or will it be)?
Yes
No
NA
b. Does/Will the system collect IIF
directly from individuals?
Yes
No
NA
c. Does/Will the system collect IIF from
other resources (i.e., databases, Web
sites, etc.)?
Yes
No
NA
d. Does/Will the system populate data
for other resources (i.e., do databases,
Web sites, or other resources rely on
this system's data)?
Yes
Resource and Purpose:
No
1
NA
2
3
4
Other
e. Does/Will the system share or
disclose IIF with agencies external to
NASA, or other people or organizations
outside NASA?
Yes
With whom and for what purpose:
No
1 Abt Associates and locally hired evaluators
will collect IIF. They will have access to the IIF
they collect. IIF will be used to send follow-up
surveys and collect student administrative
data.
NA
2
3
4
Other
Page 6
Response
f. If the IIF in the system is or will be
matched against IIF in one or more
other computer systems internal or
external to NASA, are (or will there be)
computer data matching agreement(s)
in place?
Yes
No
Comments
Location of other systems involved in
matching:
Internal to NASA
NA
External to NASA
Other systems involved in matching:
g. Will the IIF be de-identified,
aggregated, or otherwise made
anonymous?
h. Is there a process, either planned or
in place, to notify organizations or
systems that are dependent upon the
IIF contained in this system when
changes occur (i.e., revisions to IIF,
when the system encounters a major
change, or is replaced)?
i. Is there a process, either planned or
in place, to notify and obtain consent
from the individuals whose IIF is in the
system when major changes occur to
the system (e.g., disclosure and/or data
uses have changed since the notice at
the time of the original collection?
j. Is there (or will there be) a process in
place for individuals to choose how their
IIF is used?
Yes
De-identified
No
Aggregated
NA
Anonymous
Yes
No
NA
Yes
No
NA
Yes
Process: Participation is optional
No
NA
k. Is there (or will there be) a complaint
process in place for individuals who
believe that their IIF has been
inappropriately obtained, used, or
disclosed, or that the IIF is inaccurate?
l. Are there (or will there be) processes
in place for periodic reviews of IIF
contained in the system to ensure the
data's integrity, availability, accuracy,
and relevance?
Yes
No
NA
Yes
No
NA
Page 7
Response
m. Are there (or will there be) rules of
conduct in place for access to IIF on the
system?
Comments
Yes
Users
No
Administrators
NA
Developers
Contractors
For what purpose:
1 Sending follow-up surveys to Summer of
Innovation particpants
2 Collecting student administrative data
3
4
Other
n. Is there (or will there be) a process in
place to log routine and non-routine
disclosures and/or unauthorized
access?
Yes
Disclosures logged (check all apply):
No
Routine
NA
Non-routine
Public Internet (Describe):
Section 7 - Web Site Hosting Practices
Note: If yes, identify what type of site the system hosts in the Comments column.If no or n/a, skip this section and start with
next section.
a. Does/Will the system have a Web
interface?
Yes
Type of site (check all apply):
No
Public Internet (Describe): Some requests
for surveys will be sent via email. Survey
information requests will be web-based and
will not inlcude IIF.
NA
Internal NASA (Describe):
b. Is the Web site (or will it be)
accessible by the public or other entities
(i.e., federal, state, and local agencies,
contractors, third-party administrators,
etc.)?
Yes
1
No
2
NA
3
4
c. Is the Agency Web site privacy policy
statement posted (or will it be posted)
on the Web site?
Yes
No
NA
d. Is the Web site's privacy policy in
machine-readable format, such as
Platform for Privacy Preferences
(P3P)?
Yes
Implementation Plan:
No
NA
Page 8
Response
e. Does/Will the Web site employ
persistent tracking technologies?
Comments
Yes
Session cookies
No
Persistent cookies
NA
Web bugs
Web beacons
Other (Describe):
Authorizing Official:
Authorizing Date:
f. Does/Will the Web site collect or
maintain personal information from or
about children under the age of 13?
Yes
No
NA
g. Does/Will the Web site collect or
maintain personal information from or
about children under the age of 13,
please indicate how the information is
collected?
NA
What Information is collected:
How the information is collected (check all
apply):
Actively directly from the child
Passively through cookies
h. If the Web site does/will collect or
maintain personal information from or
about children under the age of 13, is
the information shared with any
non-NASA organizations, grantees,
universities, etc.?
i. If the Web site does/will collect or
maintain personal information from or
about children under the age of 13,
specify what method is used for
obtaining parental consent?
Yes
No
NA
NA
Information is shared with: Information will be
collected by locally hired evaluators, and Abt
Associates, the national evaluation contractor,
but IIF will not be collected via a website.
Method used for obtaining parental consent
(check all apply):
No consent is obtained
Simple email
Email accompanied by digital signature
Signed form from the parent via postal mail
or facsimile
Accepting and verifying a credit card
number in connection with a transaction
Taking calls from parents, through a
toll-free telephone number staffed by trained
person
Page 9
Response
j. Does/Will the Web site collect IIF
electronically from any individuals?
Comments
Yes
Personal Information
No
Name
NA
Date of birth
Social Security Number (or other number
originated by a government that specifically
identifies an individual)
Photographic identifiers (e.g., photograph
image, x-rays, and video)
Driver license
Biometric identifiers (e.g., fingerprint and
voiceprint)
Mother maiden name
Vehicle identifiers (e.g., license plates)
Mailing address
Phone numbers (e.g., phone, fax, and cell)
Medical records numbers
Medical notes
Financial account information and/or
numbers (e.g., checking account number and
Personal Identification Numbers [PIN])
Certificates (e.g., birth, death, and
marriage)
Legal documents or notes (e.g., divorce
decree, criminal records, or other)
Device identifiers (e.g., pacemaker, hearing
aid, or other)
Web Uniform Resource Locators (URL)
E-mail address
Education records
Military status and/or records
Employment status and/or records
Foreign activities and/or interests
Other (Describe):
Page 10
Response
k. Does/Will the Web site provide a
PDF form to be completed with IIF from
any individuals and then mailed or
otherwise provided to NASA?
Comments
Yes
Personal Information
No
Name
NA
Date of birth
Social Security Number (or other number
originated by a government that specifically
identifies an individual)
Photographic identifiers (e.g., photograph
image, x-rays, and video)
Driver license
Biometric identifiers (e.g., fingerprint and
voiceprint)
Mother maiden name
Vehicle identifiers (e.g., license plates)
Mailing address
Phone numbers (e.g., phone, fax, and cell)
Medical records numbers
Medical notes
Financial account information and/or
numbers (e.g., checking account number and
Personal Identification Numbers [PIN])
Certificates (e.g., birth, death, and
marriage)
Legal documents or notes (e.g., divorce
decree, criminal records, or other)
Device identifiers (e.g., pacemaker, hearing
aid, or other)
Web Uniform Resource Locators (URL)
E-mail address
Education records
Military status and/or records
Employment status and/or records
Foreign activities and/or interests
Other (Describe):
l. Does/Will the Web site share IIF with
other organizations within NASA,
agencies external to NASA, or other
people or organizations outside NASA?
Yes
With whom Information is shared:
No
1
NA
2
Other
Page 11
Response
m. Are rules of conduct in place (or will
they be in place) for access to IIF on
the Web site?
Comments
Yes
Users
No
Administrators
NA
Developers
Contractors
For what purpose:
1
2
3
4
Other
n. Does/Will the Web site contain links
to sites external to the Center that owns
and/or operates the system?
Yes
Disclaimer notice for all external links
No
NA
Section 8 - Administrative Controls
Note: If yes, enter the CA (Authorization to Operate (ATO)) date in the comments column. If no or the system is under
development and not yet authorized to operate the time of this PIA, please enter a planned CA timeline in the comments
column.
a. Has the system been certified and
accredited (authorized to operate): 'y' or
'n'?
Yes
No
CA Plan/Timeline: The system is currently in
process of being Accredited at medium level
C&A.
NA
b. Have personnel (system owners,
managers, operators, contractors
and/or program managers) using the
system been (or will they be) trained
and made aware of their responsibilities
for protecting the IIF being collected
and maintained?
Yes
No
NA
c. Who has/will have access to the IIF
on the system?
Check all that apply
Users
Administrators
Developers
Contractors
Others
d. If contractors operate or use the
system, do the contracts include
clauses ensuring adherence to privacy
provisions and practices?
Yes
No
NA
Page 12
Response
e. Are methods in place to ensure that
access to IIF is restricted to only those
required to perform their official duties?
Yes
No
Comments
Method(s): Only contractors who need access
to IIF for evaluation business process
purposes, will have access to the information.
NA
f. Are there policies or guidelines in
place for the retention and destruction
of IIF within the application/system?
Yes
No
Policies/Practices: All IIF will be destroyed
after it is no longer needed for evaluation
business processes.
NA
Section 9 - Technical Controls
a. Are technical controls in place to
minimize the possibility of unauthorized
access, use, or dissemination of the
data in the system (or will there be)?
Yes
No
NA
b. Are any of the password controls
listed in the Comments column in place
(or will there be)?
Yes
No
NA
Check all that apply:
Passwords expire after a set period of time.
Accounts are locked after a set period of
inactivity.
Minimum length of passwords is eight
characters.
Passwords must be a combination of
uppercase, lowercase, and special characters.
Accounts are locked after a set number of
incorrect attempts.
c. Is there (or will there be) a process in
place to monitor and respond to privacy
and/or security incidents?
Yes
No
NA
Section 10 - Physical Controls
a. Are physical access controls in place
(or will they be)?
Yes
No
NA
Page 13
Privacy Impact Assessment (PIA) Summary
Date of this Submission: Jul 16, 2010
NASA Center: Abt Associates
System Name: Summer of Innovation Evaluation
Is this application or information collection new or is an existing one being modified? Not New
Does this application collect, maintain, and/or disseminate information in identifiable form (IIF)? No
Mission Program/Project Supported: Office of Education/Summer of Innovation
Identifying Numbers (Use N/A, where appropriate)
Privacy Act System of Records Number: N/A
OMB Information Collection Approval Number and Expiration Date: N/A
Other Identifying Number(s): N/A
Description
1. Provide an overview of the application or collection and indicate the legislation authorizing
this activity:
The application facilitates the collection of information needed to evaluate NASA Summer of
Innovation projects across the United States. The SoI initiative encourages students who
under-perform, are underrepresented, and under-served in STEM education to: 1) hold positive
opinions of STEM education/fields and careers, 2) increase their knowledge of STEM fields/careers,
and 3) improve their grades in STEM related classes and increase scores on state science and math
achievement tests. Teachers who attend SoI teacher professional development will bring those STEM
related pedagogical skills back to the classroom the following year and improve their classroom
instruction in STEM education, and will reduce their anxiety about teaching STEM in the classroom
The Summer of Innovation project is one NASA initiative to achieve the educational outcomes as
directed by the Space Act of 1958, the Vision for Space Exploration, NASA's Education Strategic
Coordination Framework as well as the Strategic Management of Human Capital initiative under the
President's Management Agenda.
2. Describe the information the agency will collect, maintain, or disseminate and how the
agency will use the information. In this description, indicate whether the information contains
IIF and whether submission is voluntary or mandatory:
NASA Office of Education is collecting survey data from participants in the Summer of Innovation as
well as student administrative data (i.e. grades in STEM related classes, course selection, scores of
Math and Science achievement tests) over three years for the purposes of evaluating the overall
effectiveness of the Summer of Innovation project. IIF is being collected for the purposes of contacting
SoI participants to give them surveys and for collecting student administrative data. Submission of
information is voluntary. When students and teachers enroll in a Summer of Innovation (SoI) activity,
they will be asked if they wish to participate in the evaluation of the Summer of Innovation and they will
be asked to provide IIF which will include: first name, last name, date of birth, email, phone number,
mailing address, and in the case of students: parent#s name, parent#s phone number, parent#s email
address, parent#s address. Information will be verified by a contractor. Participation in the SoI
evaluation and submission of IIF is voluntary.
3. Explain how the IIF is collected, maintained, and/or disseminated is the minimum necessary
to accomplish the purpose for this effort:
Page 14
An anticipated outcome of the Summer of Innovation initiative is that students who participate in an
initial SoI activity will, over the next three years, improve their knowledge/attitudes toward STEM
education, will score better on Science and Math achievement tests, will engage in more STEM
related activities, and will track into advanced Math and Science classes. The only way to evaluate this
important SoI goal is to collect survey data from students over the three years following student#s
initial SoI activity, and to collect student administrative data. Another anticipated outcome of SoI is
teachers who participate in an initial SoI professional development activity will improve their classroom
instruction in STEM, and will have reduced their anxiety about teaching STEM in the classroom. The
only way to evaluate this outcome is to collect survey data from teachers over the three years
following teacher#s initial SoI activity. When students and teachers enroll in a Summer of Innovation
activity, they will be asked if they wish to participate in the evaluation of the Summer of Innovation
project and to provide IIF which will include: first name, last name, date of birth, email, phone number,
mailing address, and in the case of students: parent#s name, parent#s phone number, parent#s email
address, parent#s address. Information will be verified by a contractor. Participation in the evaluation
and submission of IIF is voluntary. Evaluation contractors will use this information to follow-up with SoI
participants of have them complete surveys and collect student administrative data.
4. Explain why the IIF is being collected, maintained, or disseminated:
The only way to evaluate the main anticipated outcomes/goals of the Summer of Innovation (SoI) is to
collect survey data from students and teachers over the three years following their initial SoI activity,
and to collect student administrative data. IIF is collected to send follow-up surveys to students and
teachers who participate in the SoI evaluation and to collect student administrative data.
5. Identify with whom the agency will share the IIF:
Local evaluators hired by grantees and a national evaluation contractor will have access to the IIF they
collect. The local evaluators and the national evaluation contractor will only have access to the IIF they
collect, and will use the IIF for the purposes of sending surveys and collecting student administrative
data. The local evaluators and national evaluation contractor will not share the IIF they collect with
anyone else.
6. Describe how the IIF will be obtained, from whom it will be collected, what the suppliers of
the information and the subjects will be told about the information collection, and how this
message will be conveyed to them (e.g. written notice, electronic notice if a Web-based
collection). Describe any opportunities for consent provided to individuals regarding what
information is collected and how the information will be shared:
IIF will be obtained via multiple methods # paper, telephone interview, and web-based data collection.
Suppliers of the information may receive the message about why they are being asked to provide IIF
and how their IIF will be used by any one, or multiple methods. The message they receive will be that
subjects have the option to be part of the information collection (Summer of Innovation evaluation)
when they sign-up to participate in the Summer of Innovation. The purpose of the information
collection is to evaluate the overall effectiveness of the Summer of Innovation program. The
participation form will clearly state that they can opt out of information collection (Summer of
Innovation evaluation) and still participate in Summer of Innovation activities. If they opt in, they will
receive follow-up information via paper, telephone interview, and or email requesting additional
information.
7. State whether the personal information will be collected from children under age 13 on the
Internet and, if so, how parental or guardian approval will be obtained. (Reference: Children's
Online Privacy Protection Act of 1998):
Page 15
IIF may, in some cases, be collected from students under the age of 13, and the method of data
collection may be via email, thelphone, or paper form. Parental or guardian approval will be obtained
at the beginning of the Summer of Innovation project. At the beginning of the Summer of Innovation,
parents will be contacted with the option to allow their child to participate in the Summer of Innovation
evaluation. Parents who approve of their child participating in the evaluation, will be requested to
provide additional information about their child, including: first name, last name, date of birth, school
name, mailing address and email address. Following initial parental or guardian approval, parents and
students will be contacted twice a year, once by post-card and once by telephone or email, with a
request to complete an additional survey. Each time the parent and student are contacted, they will be
informed about the purpose of the data collection and will be given the option to withdraw their child
from the evaluation for any reason, along with a telephone number to call to request the withdrawal of
their child's information/data. If a parent requests that their child be withdrawn from the Summer of
Innovation evaluation, all existing student data and information will be expunged from the system.
8. Describe how the IIF will be secured:
IIF collected on paper will be stored in locked filing cabinets until it is no longer needed. After IIF on
paper is no longer needed for evaluation business processes, it will be destroyed. IIF collected and
stored electronically, will be stored on a secure server and will be password protected. Only staff who
need access to the IIF to execute the business processes of the evaluation will have access to the IIF.
9. Describe plans for retention and desctruction on IIF:
All IIF will be destroyed as soon as it is no longer needed for the business processes of the evaluation.
10. Identify whether a system of records is being created under section 552a of Title 5, United
States Code (the Privacy Act), or identify the existing Privacy Act system of records notice
under which the records will be maintained:
This associated system of records is existing: 10EDUA.
Point of contact to whom a member of the public can address questions concerning this
information system and the privacy concerns associated with it: Bryan McCall, 202-358-1767
Page 16
Concur:
Concur:
Concurrence Credentials on File
Concurrence Credentials on File
BRIAN L. YODER
System Owner
BRYAN D. MCCALL
Center Privacy Manager
Date: 07/07/2010
Date:
Concur:
Approve:
Concurrence Credentials on File
BRYAN D. MCCALL
NASA Privacy Program Manager
LINDA Y. CURETON
NASA CIO
Date:
Date
Page 17
Document History
Date
Action
Message
07/07/10
Submitted to Center Privacy Manager Hi Bryan: Here is the Summer of
by:BRIAN YODER
Innovation Evaluation PIA with
changes made based on your
comments. Thanks. Brian
07/07/10
Submitted to Application Owner
by:BRIAN YODER
Hi Bryan: Here is the Summer of
Innovation Evaluation PIA with
changes made based on your
comments. Thanks. Brian
06/10/10
Rolled back to:BRIAN YODER
I have rolled back the document to
you for your modifications as per our
discussion of 9JUN10.
06/07/10
Submitted to Center Privacy Manager Bryan, here's the revised PIA based
by:BRIAN YODER
on our converstation last Friday.
06/07/10
Submitted to Application Owner
by:BRIAN YODER
Bryan, here's the revised PIA based
on our converstation last Friday.
Page 18
File Type | application/pdf |
File Modified | 0000-00-00 |
File Created | 0000-00-00 |